Wednesday, February 15, 2012

It’s unlikely that you would leave your business’s doors unlocked when you leave for the night, right? So why wouldn’t you do everything possible to protect your data? Leaving it vulnerable is worse than leaving your petty cash and physical files out to be pilfered. But there are ways to prevent data breaches from happening.

As the name suggests, a data breach refers to the unintentional exposure of private or sensitive information to someone who’s not supposed to see it. It can be the result of a malicious hack by an individual or organized crime ring, or it can be the product of simple carelessness, such as an employee tossing out a data CD without destroying it first.

The risk of a data breach is well known. According to figures compiled by Seattle-based Datacastle (www.datacastlecorp.com), the average cost of a data breach in 2010 was $7.2 million, working out to about $214 for every record breached.

KEEP DATA SAFE How can you keep your data safe? There are a lot of ways, many of which have to do with using common sense. A good starting point is to take stock of your data and what is critical to your operations. “The first step every business needs to take to protect themselves from data breaches is to sit down and determine what ‘critical information’ means for their business,” says Elizabeth Ireland, vice president of marketing at nCircle (www.ncircle.com) in San Francisco. John L. Nicholson, an attorney with Pillsbury Winthrop Shaw Pittman law firm in Washington, D.C., outlines the four general categories of critical data. The first is credit card data, for which a company must comply with the Payment Card Industry Data Security Standard. The second category includes data covered by data breach notification laws, which exist in most states and address personal information, such as bank account or driver’s license numbers, in electronic form.

“These laws are intended to help prevent identity theft,” says Nicholson. “Some state laws also cover information on paper, and some cover medical information, as well. The third category is medical data. If your company is covered by the Health Insurance Portability and Accountability Act (HIPAA) or the HITECH Act, there are specific requirements for protecting certain information and reporting breaches. The final category involves nonfinancial, non-health related information such as user IDs, passwords, and email addresses. For some smaller businesses, such as those that develop games or software for social media sites—where users purchase virtual goods and spend money—a breach of a user ID/password combination can hurt customers because all of their virtual goods could be sold off, according to Nicholson. “For others, the information about users could be used to make phishing attacks more accurate and convincing,” he explains.

Identifying where your data fits in those categories can help prevent data breaches and equip you to respond if and when a breach occurs. “Content management and knowledge management systems often facilitate data classification,” says Joe Gottlieb, president and CEO of San Francisco-based Sensage (www.sensage.com). “Data loss prevention and encryption efforts often lead to a better understanding of and cataloging of data relative to breach risk and sensitivity. Also, known revenue production servers are typically isolated for extra security precautions.” James McMurry, a CEO of Fullerton, Calif.-based Milton Security Group (www.miltonsecurity.com), advises creating a list of every category of vital information and where it’s stored. “This allows businesses to evaluate data storage that is many times forgotten,” he says. “Email communication internally to the company is one area that some firms do not think is high on the priority list, yet it is used to send critical documents with data that is considered high priority.”